The organization will ensure that it evaluates its IT staffing requirements on a regular basis and ensures that there are a sufficient number of competent staff members. [UCF ID 00775]
Supporting and supported controls
This control directly supports:
• Maintain the IT staff structure in line with strategic goals [UCF Control ID 00764]
This control has the following supporting controls:
There are no supporting controls.
Authority documents complied with:
FFIEC IT Examination Handbook – Audit Exam Tier I Obj 4.1; FFIEC IT Examination Handbook – Management Exam Obj 2.1; FFIEC IT Examination Handbook – Operations Pg 4; FFIEC IT Examination Handbook – E-Banking Pg A-3; CobiT 4.1 PO4.12; The Standard of Good Practice for Information Security SM2.2.5(a), SM2.2.5(b), CB2.1.4(e), UE1.1.4(f); Sarbanes-Oxley Act (SOX) ¶¶ 117-121; AICPA Suitable Trust Services Criteria ¶ .17 § 3.10, ¶ .20 § 3.13, ¶ .24 § 3.14, ¶ .29 § 3.13; Clinger-Cohen Act (Information Technology Management Reform Act) A-130 9(f)(2)
Sarbanes Oxley Guidance
¶¶ 117-121 of PCAOB Auditing Standard No. 2 states that the auditor should evaluate the objectivity and level of competence of the individuals performing the work of others. The factors the auditor should use in determining objectivity include the organizational status of the individual performing the work and policies prohibiting individuals performing the work from testing controls in areas where they worked in previously, where they are being assigned, or where their relatives are working. The factors the auditor should use in determining the level of competence include professional experience, educational level, professional certifications, the quality of their documentation, and an evaluation of their performance.
¶ .17 § 3.10, ¶ .20 § 3.13, ¶ .24 § 3.14, ¶ .29 § 3.13 of AICPA Suitable Trust Services Criteria states that the organization should periodically evaluate the staffing requirements to ensure they are consistent with the organization's security policy.
§ II.A of OMB Circular A-123 Management’s Responsibility for Internal Control states that management should clearly state its commitment to hiring competent personnel and support the organization's policy for hiring new personnel.
Banking and Finance Guidance
The FFIEC IT Examination Handbook – Operations Pg 4 states that operations management should ensure the organization has the proper staffing in terms of experience, numbers, and skills.
The FFIEC IT Examination Handbook – E-Banking Pg A-3 states that the organization should have the proper expertise to make decisions about e-banking and network security.